Imagine the following: depositors can’t check their bank account balances or withdraw money for several days because the bank’s mobile app has gone down. Or, a young married couple invites friends over to watch a highly anticipated playoff game only to realize the streaming service has been cut off. No game available today.
These scenarios are entirely possible, yet most of us don’t think about them actually happening. We live under the false assumption that the applications we use every day are infallible. But in reality, massive outages because of security breaches are always a lurking threat, and everyone is vulnerable.
In fact, a huge application programming interface (API) security breach looms right around the corner. Why? Combine ever-expanding attack surfaces, hackers who are getting smarter by the day, an increase in the number of security incidents overall, the fact that API security is tough to master as-is, and major attacks are inevitable.
It’s already happened in Australia: last year, an API attack hit telecom company Optus, which experienced a breach that exposed the data of 9.8 million customers, including information such as driver's licenses, passports, names, and phone numbers.
Depending on which company gets targeted in the next big API attack, its impact could be far-reaching and serve as a much-needed wake-up call regarding the importance of API security. Given it’s likely just around the corner, let’s look at what makes APIs challenging to secure in the first place and steps organizations should take to protect their attack surface.
The challenge with API security
Pick any security breach that has occurred in the last few years (barring ransomware incidents), and it’s likely that an API was involved. From Pelton to T-Mobile to Twitter, companies’ APIs are acting as a getaway car for hackers to steal private information.
Despite major advancements in security throughout the years, API security remains a challenge. It’s hard to determine who should take organizational ownership of API security within a company. Is it an API developer problem to solve? Purely a security challenge? Or maybe even a product challenge?
When there’s ambiguity around who’s responsible for API security, mistakes, oversights, and attacks are more likely to happen. API security isn’t as cut and dry as ransomware, for instance: There’s no debate about who defends an organization’s endpoints — it’s always the IT security team’s job. But it’s more difficult to determine exactly who’s responsible for API security.
Here are two steps organizations can take to bolster API security:
- Identify a champion: Until a company has experienced firsthand the pain of an API breach, they may not have gone through the process of devising a strategy to solve for API security. It’s most often an outage or attack that finally pushes organizations to take action. Identifying a designated champion lets companies be more strategic and proactive in their approach to API security by eliminating any confusion around responsibility. An API security champion can help their organization assess its current security posture and identify problem areas and priorities that need addressing before an incident happens. They can also educate other teams within the company on the importance of strong API security and devise a strategy that everyone’s on board with.
- Practice continual assessment: Securing APIs doesn't happen only at a single point in time, like when an organization tries to block an attacker. It happens when organizations embed secure principles from the moment developers begin building an application all the way through the API lifecycle. It’s a continuous process that requires careful attention and assessment from cradle to grave. This can include regularly conducting an OWASP API Security Top Ten self-assessment, monitoring and analyzing API traffic patterns to identify and mitigate suspicious activity, or performing security audits and penetration testing. Do this on a continual basis to identify and respond to potential threats in a timely manner.
More API security breaches are on the horizon, but companies can take steps to better protect their attack surface in the interim. By choosing a champion responsible for API security, and conducting ongoing assessments that clue them in to potential issues, organizations have the best chance at not falling victim to cyberattacks.
Karl Mattson, chief information security officer, Noname Security